Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Tuesday, December 6, 2016

New Linux privilege escalation vulnerability

There's a new Linux privilege escalation vulnerability (CVE-2016-8655) that will allow normal users to elevate to root. The bug is in the networking subsystem and relies on the attacker being able to create a raw socket with CAP_NET_RAW. In most Linux distributions, users can't do this unless unprivileged namespaces are enabled.

Red Hat notes that RHEL 5 and RHEL 6 are not impacted by the bug. RHEL 7 is, but not in it's default configuration since unprivileged namespaces are not enabled.

The researcher who found the bug (Philip Pettersson) notes that he discovered the bug by examining areas where memory is allocated in unprivileged namespaces. Since these are a relatively new development in Linux, it might be that there are locations where developers didn't account for untrusted users having access to manipulate certain kernel structures. Other such issues may exist in other areas of the code.

At Rendition Infosec we always recommend that clients minimize their exposure by applying the latest operating systems and software patches. This bug also demonstrates another principle that we try to drive home with our clients: minimize your attack surface. If you don't need it, don't enable it. Minimizing attack surface is what keeps Red Hat 7 from being vulnerable in a default configuration.